Clamav setup on arch

Slightly more verbose setup than the Arch wiki…

I just set up clamav on my machine again. I’m starting to appreciate the arch wiki not being overly verbose as I get more used to reading it - e.g. the assumption that you know how to start/restart a daemon. However, it is a challenge at first and can lead to some confusion.

Here is a more complete rundown of the some of the steps I took.

The basis for this post is the clamav page on the Arch Wiki which should be taken as a starting point.

Note that this is correct at time of writing on 2026/04/03. I will aim to update this with future changes and note as such.

Basic Setup

• Install clamav from pacman using (run as sudo):

  pacman -S clamav
  

  This will create the default config files for freshclam, clamd, and clamav-milter at /etc/clamav/.
• Edit /etc/clamav/clamd.conf as desired (see suggestions in the Arch wiki) to increase recursion, set alerts, etc.
  • We can check this using:

    clamconf
    

• Set up real-time protection following the wiki
  • Scans files in real-time whilst reading/writing/executing.
  • I used the following additions to /etc/clamav/clamd.conf:

    OnAccessMountPath /
    OnAccessExtraScanning yes
    

  • Set up notifications
    • The above will report to the log file at /var/log/clamav/clamd.log but requires us to monitor there for anything that is caught.
    • We can set up a notification using notify-send by adding the following to /etc/clamav/clamd.conf

      VirusEvent /etc/clamav/virus-event.bash
      

    • We can give the clamav user (created as part of the install and config to run clamav-associated processes) permission to run notify-send by adding /etc/sudoers.d/clamav with:

      clamav ALL = (ALL) NOPASSWD: SETENV: /usr/bin/notify-send
      

    • We then create a bash script /etc/clamav/virus-event.bash to handle alerts and create a notification as described in the wiki. This need to be made executable with chmod +x /etc/clamav/virus-event.bash run as sudo.
    • If you do not have desktop notifications set up see the aside below .
  • Edit the clamonacc daemon to allow file descriptor passing to clamav. Do not edit the file directly, instead create a drop-in override by running (via sudo):

    systemctl edit clamav-clamonacc.service
    

    This creates /etc/systemd/system/clamav-clamonacc.service.d/override.conf instead of editing /usr/lib/systemd/system/clamav-clamonacc.service which would cause pacman conflicts during future updates.
  • We can now start and enable the clamonacc and clamav-daemon services with:

    systemctl start clamav-clamonacc.service
    systemctl start clamav-daemon.service
    systemctl enable clamav-clamonacc.service
    systemctl enable clamav-daemon.service
    

    This will prompt for authentification if not run via sudo. If already started use restart instead of start.
• Update database with freshclam
  • This will pull down the latest definitions to check against and needs to be run via sudo:

    freshclam
    

    It places definitions in /var/lib/clamav/ and
    writes to a log at /var/log/clamav/freshclam.log.
  • Rather than manually update setup automatic updates using the freshclam service.
    • First move give the clamav user permissions for the logfile running (via sudo):

      chmod 600 /var/log/clamav/freshclam.log
      chown clamav /var/log/clamav/freshclam.log
      

    • Then start and enable the service with:

      systemctl start clamav-freshclam.service
      systemctl enable clamav-freshclam.service
      

      which will check for updates every 2 hours. Note that this will now prevent manual running of freshclam via sudo.
• Check things are working:
  • We can check definitions are in place and used by running:

    curl https://secure.eicar.org/eicar.com.txt | clamscan -
    

  • We can check on-access realtime scanning is working by running:

    cd ~/Downloads/
    wget https://secure.eicar.org/eicar.com.txt
    cat eicar.com.txt
    

    which should generate a notification.
• Add more definitions with fangfrisch .
  • This contains various additional signatures.
  • We can get this from AUR e.g. via pikaur:

    pikaur -S python-fangfrisch
    

    which will set up any configuration with defaults.
  • Initialise the database by running the following (note running as clamav user to aid compatibility with other clamav processes with the -- here delimiting the end of the sudo options):

    sudo -u clamav -- fangfrisch --conf /etc/fangfrisch/fangfrisch.conf initdb
    

    The database will be written to /var/lib/fangfrisch/.
  • Start/enable the timer service to keep this updated:

    systemctl start fangfrisch.timer
    systemctl enable fangfrisch.timer
    

Whitelisting false-positives

Once this was set up I had issues with a lot of errors popping up every time I visited a new webpage. Looking at the clamd log we see:

Fri Apr  3 14:55:31 2026 -> /home/user/.librewolf/73q3g0y1.default-release/
extensions/uBlock0@raymondhill.net.xpi: Sanesecurity.Foxhole
.JS_Zip_1.UNOFFICIAL FOUND

which is an advert and tracking blocker browser extension. This is a common issue with tracking blockers which contain signatures for things to block that might also be recognised by clamav.

We can whitelist this file by adding a false-positives file to the clamav database as false-positives.fp. See clamav whitelist docs for more details.

We place the name of the file in here, but also match the md5 signature so that any future modifications to the file won’t pass by default and will need re-whitelisting.

This can be done with:

sudo bash -c "sigtool --md5 /home/user/file/to/whitelist >> /var/lib/clamav/false-positives.fp"

Aside: desktop notifications

notify-send will raise an error like:

Failed to show notification: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name is not activatable

if no desktop notification app is installed. Some environments (e.g. KDE, GNOME) will come with one, but lighter-weight approaches (e.g. Sway) will not.

Various options exist to raise desktop notifications. I chose mako as something simple that works for me on Sway.

Simply installing (via sudo) with:

pacman -S mako

is enough to set up so that notifications now appear in the top right of the screen. Test this with:

usr/bin/notify-send -u critical -t 5000 "Hello World!"

where -u specified urgency level and -t is time before the notification disappears in ms. More options including icons, app name, etc. can be seen via man notify-send.